Documentation > Splunk > User Manual > Manage tags with tagcreate and tagdelete

User Manual

 


About Splunk
Use Splunk Web
Tutorial
Add inputs
Index
Search
Use Fields
Tag
Report
Save, Schedule, and Alert
Use the Splunk Command Line Interface (CLI)
Search reference
Modifier reference
Search command reference

Manage tags with tagcreate and tagdelete

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Manage tags with tagcreate and tagdelete

All tags are stored in the tags.conf configuration file. This topic shows you how to add tags to tags.conf using the tagcreate and tagdelete search commands and a subsearch.

For more information about editing tags manually with tags.conf, refer to the Admin Manual.

Note: This example is based on the Tagging with Splunk 3.3 feature video, which discusses the tagcreate and tagdelete search commands.


Create tags with tagcreate

Let's say you have a network of machines and a set of users who each have accounts on at least one of the machines. To search for the list of unique users of any one machine, you might use this:

<hostname> user | fields +user | dedup user

where hostname is the name of the machine and user is an extracted field name for the user accounts on the machine. The fields command strips out all the fields from your results except user. The dedup command removes duplicates; the result is a list of unique users.

Now, you want to create tags for each user to indicate which machines they use. To do this, just add the previous subsearch into the search command, tagcreate. For example, to tag users of wexford with wexford_user:

| tagcreate wexford_user [search wexford user | fields +user | dedup user]

The tagcreate command adds a list of tags into a stanza in tags.conf. When you tagged the user field in Splunk Web, Splunk added a [user] stanza to the tags.conf file. In each stanza in tags.conf, each tag has its own line: 

[user]
tag::brian::wexford_user = enabled
tag::jason::wexford_user = enabled
tag::sophy::wexford_user = enabled
tag::barry::wexford_user = enabled

Note: You cannot have multiple tags in a tags.conf stanza line.

Now, Splunk Web includes the tag wexford_user next to the user field name and value. If you want to list all the machines the user can access next to the field, you can run this tagcreate for each hostname.


Disable tags with tagdelete

To disable these tags, use the tagdelete command and the same subsearch:

| tagdelete wexford_user [search wexford user | fields +user | dedup user]

For the same set of users, tags.conf now reads: 

[user]
tag::brian::wexford_user = disabled
tag::jason::wexford_user = disabled
tag::sophy::wexford_user = disabled
tag::barry::wexford_user = disabled

Note: tagdelete does not actually delete tags from tags.conf. It disables them so they do not display in Splunk Web. To remove them, you have to manually edit tags.conf.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.4.3/User/ManageTagsWithTagcreateAndTagdelete"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!